Limit scope of changes that are monitored by Trivy scan

Do not start Trivy scan if changes not related to dependencies.
Run Trivy on daily bases.
Add badge to follow cycle Trivy scans
Enable scans on request

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>

.github/workflows/trivy.yml

@@ -1,8 +1,20 @@
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+# Copyright (C) 2024 Intel Corporation.
+
 name: Trivy scan
 
 on:
-  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: '45 8 * * *'
+  push:
     branches: ["master", "release/**"]
+  pull_request:
+    paths:
+      - '**/go.mod'
+      - '**/pom.xml'
+      - '**/requirements.txt'
+      - '**/*trivy*'
 
 # Declare default permissions as nothing.
 permissions: {}
@@ -11,6 +23,8 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-20.04
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1

README.md

@@ -5,6 +5,7 @@
 [![Build](https://github.com/daos-stack/daos/actions/workflows/ci2.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/ci2.yml)
 [![Codespell](https://github.com/daos-stack/daos/actions/workflows/spelling.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/spelling.yml)
 [![Doxygen](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml)
+[![Trivy scan](https://github.com/daos-stack/daos/actions/workflows/trivy.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/trivy.yml)
 
 <a href="https://docs.daos.io/">
 <img src="https://avatars.githubusercontent.com/u/20561043?s=400&u=db7cd0ada987ba59c21c3de5f9e7cffba73c3325&v=4" width="200" height="200">

utils/trivy/trivy.yaml

@@ -1,6 +1,5 @@
 cache:
-  backend: fs
-  clear: false
+  backend: memory
   dir:
   redis:
     ca: ""